Wolna praca, szczególnie internet

mateusheck · 1 Listopad 2007 14:59

Witam

od jakiego czasu komputer chodzi wolniej, a szczególnie internet (strony w przeglądarkach) mam neostrade 1,3 Mb prędkośc transferu jest prawidłowa. Arcavir pokazywał ze znalazł trojana jkklk.dll w Windows/system32 ale chyba sie z tym uporałem. oto log z hijackthis:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:51:12, on 2007-11-01 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\ArcaBit\ArcaUpdate\update.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe C:\Program Files\ArcaBit\Common\TaskScheduler.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\atwtusb.exe C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Common Files\Teleca Shared\Generic.exe C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Java\jre1.6.0\bin\jucheck.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing) O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {10B1C3F2-B7AC-40E7-8D94-7462B417A580} - C:\WINDOWS\system32\jkklk.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Alcohol Toolbar Helper - {8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\urqomlk.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Alcohol Toolbar - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll O4 - HKLM…\Run: [skrót do strony właściwości High Definition Audio] HDAudPropShortcut.exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” O4 - HKLM…\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM…\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent O4 - HKLM…\Run: [semanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe O4 - HKLM…\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM…\Run: [atwtusb] atwtusb.exe beta O4 - HKLM…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKLM…\Run: [sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [ABRegmon] C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe O4 - HKLM…\Run: [AvMenu] C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe O4 - HKLM…\Run: [ArcaCheck] C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0\bin\jusched.exe” O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime O4 - HKLM…\Run: [searchIndexer] rundll32.exe “C:\WINDOWS\system32\wvmcmukb.dll”,sitypnow O4 - HKLM…\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [sair] “C:\PROGRA~1\COMMON~1\CROSOF~1.NET\mmc.exe” -vt yazb O4 - HKCU…\Run: [Odb] C:\Program Files\M?crosoft.NET??xplore.exe O4 - HKCU…\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\wcescomm.exe” O4 - HKCU…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU…\Run: [CTSyncU.exe] “C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe” O4 - HKCU…\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [Tfasn] “C:\Program Files\Common Files?ppPatch\l?gonui.exe” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Album Fast Start.lnk = D:\rysunki\Abmtsr.exe O4 - Global Startup: ATI CATALYST – pasek zadań.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Picture Package Menu.lnk = ? O4 - Global Startup: Picture Package VCD Maker.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\MSOFFICE\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach … 0.0.15.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Seekmo/ … ccd2797d8b O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O17 - HKLM\System\CCS\Services\Tcpip…{A6B5F76A-4D5F-405A-B544-BD7E344F7D12}: NameServer = 194.204.159.1 217.98.63.164 O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll O20 - Winlogon Notify: TS_LogonListener - C:\WINDOWS\SYSTEM32\TS_LogonListener.dll O20 - Winlogon Notify: urqomlk - C:\WINDOWS\SYSTEM32\urqomlk.dll O23 - Service: ArcaBit FileMonitor (ABFileMon) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe O23 - Service: ArcaBit.Core.Configurator - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe O23 - Service: ArcaBit.Core.LoggingService - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe O23 - Service: ArcaBit.TaskScheduler - ArcaBit sp. z o.o. - C:\Program Files\ArcaBit\Common\TaskScheduler.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: ArcaBit Update Service (AVUpdate) - ArcaBit - C:\Program Files\ArcaBit\ArcaUpdate\update.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O24 - Desktop Component 0: (no name) - http://www.nici.net.pl/katalog/leon_herz_xl.bmp O24 - Desktop Component 1: (no name) - http://filiaul.sytes.net/~oglozae/diddl … all_53.jpg O24 - Desktop Component 2: (no name) - http://www.diddlomania.friko.pl/Tapety/ … 5_1024.jpg – End of file - 12890 bytes

jessica · 1 Listopad 2007 15:30

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing) O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing) O4 - HKLM…\Run: [semanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe O4 - HKLM…\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [searchIndexer] rundll32.exe “C:\WINDOWS\system32\wvmcmukb.dll”,sitypnow O4 - HKCU…\Run: [sair] “C:\PROGRA~1\COMMON~1\CROSOF~1.NET\mmc.exe” -vt yazb O4 - HKCU…\Run: [Odb] C:\Program Files\M?crosoft.NET??xplore.exe O4 - HKCU…\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU…\Run: [Tfasn] “C:\Program Files\Common Files?ppPatch\l?gonui.exe” O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach … alFWBIniti alSetup1.0.0.15.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Seekmo/ … 24d277a65e 29ad03ad3d42864215130fde731594b5b249079575904f0e42e0aa800d8609d5dc5df56f78f3b0ca e74fc6db716e1c40d2e14d6e71d3f928a165ff3:69a5e0d97d06d5d0a36c33ccd2797d8b O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Ponieważ masz, m.in., infekcje “VUNDO” i “PurityScan”, to daj log z ComboFix (na dole tej strony z linku) -

Log wklej na http://wklej.org/, a w poście daj tylko link.(czyli skopiuj adres z paska adresów).

jessi

mateusheck · 1 Listopad 2007 16:47

dzieki za szybką odpowiedż

tu jest log z combofix:

http://up.wklej.org/download.php?id=e3c … 3fb719c51a

Złączono Posta : 01.11.2007 (Czw) 17:51

Najpierw zrobiłem log z combofix, a potem chcialem zrobić w hijack wg Twojej porady, ale już nie mam tego fragmentu, czy jest możliwe, że combofix to naprawił?

Złączono Posta : 01.11.2007 (Czw) 17:55

combofix zrobił jeszcze jeden plik z plikami poddanymi kwarantannie:

2004-09-19 12:18 1 --a------ C:\Qoobox\Quarantine\C\WINDOWS\HOSTS.vir 2005-12-25 18:58 0 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\user\Dane aplikacji\Install.dat.vir 2005-12-25 18:58 3057 --a------ C:\Qoobox\Quarantine\C\secure32.html.vir 2006-12-29 19:15 93635 --a------ C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1461OinUninstaller.exe.vir 2007-01-12 21:00 1150 --a------ C:\Qoobox\Quarantine\C\Program Files\Outerinfo\outerinfo.ico.vir 2007-01-12 21:00 18031 --a------ C:\Qoobox\Quarantine\C\Program Files\Outerinfo\Terms.rtf.vir 2007-01-14 12:32 106998 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\FISH.F3S.vir 2007-01-14 12:32 113081 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S.vir 2007-01-14 12:32 118784 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir 2007-01-14 12:32 118784 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir 2007-01-14 12:32 122747 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\MAID.F3S.vir 2007-01-14 12:32 12449 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Search\COMMON.F3S.vir 2007-01-14 12:32 129559 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S.vir 2007-01-14 12:32 140 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST.vir 2007-01-14 12:32 140 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST.vir 2007-01-14 12:32 143360 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL.vir 2007-01-14 12:32 143421 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir 2007-01-14 12:32 147456 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir 2007-01-14 12:32 149817 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S.vir 2007-01-14 12:32 155471 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S.vir 2007-01-14 12:32 16384 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE.vir 2007-01-14 12:32 20164 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG.vir 2007-01-14 12:32 24 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Settings\s_pid.dat.vir 2007-01-14 12:32 243509 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S.vir 2007-01-14 12:32 24576 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir 2007-01-14 12:32 24658 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir 2007-01-14 12:32 24660 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir 2007-01-14 12:32 24662 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE.vir 2007-01-14 12:32 272367 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S.vir 2007-01-14 12:32 28672 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir 2007-01-14 12:32 301118 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S.vir 2007-01-14 12:32 305 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT.vir 2007-01-14 12:32 311296 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir 2007-01-14 12:32 43287 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S.vir 2007-01-14 12:32 4814 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR.vir 2007-01-14 12:32 49230 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir 2007-01-14 12:32 5446 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV.vir 2007-01-14 12:32 56438 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S.vir 2007-01-14 12:32 56688 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Game\REVERSI.F3S.vir 2007-01-14 12:32 6462 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR.vir 2007-01-14 12:32 65536 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL.vir 2007-01-14 12:32 66726 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Game\CHESS.F3S.vir 2007-01-14 12:32 69632 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir 2007-01-14 12:32 71675 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\DOG.F3S.vir 2007-01-14 12:32 76013 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S.vir 2007-01-14 12:32 94208 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir 2007-01-20 22:33 0 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\02547FEB.vir 2007-02-09 13:12 0 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\00046FDD.vir 2007-04-05 11:02 49 --a------ C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\IEKey.dll.vir 2007-06-18 13:17 4 --a------ C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\ScreenSaver\Images\0019A6B6.urr.vir 2007-06-21 10:19 1670 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\user\Menu Start\Programy\Outerinfo\Uninstall.lnk.vir 2007-06-21 10:19 710 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\user\Menu Start\Programy\Outerinfo\Terms.lnk.vir 2007-07-20 14:27 61 --a------ C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\files.ini.vir 2007-09-15 17:10 44054 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\urqomlk.dll.vir 2007-09-15 17:16 244832 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jkklk.dll.vir 2007-09-15 17:16 6448 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\klkkj.bak1.vir 2007-09-20 11:51 125504 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\oosryabu.dll.vir 2007-09-20 11:51 693555 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ubayrsoo.ini.vir 2007-09-21 13:15 693407 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vosqnksp.ini.vir 2007-09-21 13:15 87616 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\psknqsov.dll.vir 2007-09-21 14:19 87616 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lvbkbbrm.dll.vir 2007-09-21 17:33 693421 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mrbbkbvl.ini.vir 2007-09-22 14:22 86080 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wvmcmukb.dll.vir 2007-10-31 21:54 100538 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\klkkj.bak2.vir 2007-11-01 12:36 593 --a------ C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir 2007-11-01 16:36 104037 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\klkkj.ini.vir 2007-11-01 17:18 577289 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bkumcmvw.ini.vir 2007-11-01 17:27 2546 --a------ C:\Qoobox\Quarantine\catchme.log 2007-11-01 17:27 788223 --a------ C:\Qoobox\Quarantine\catchme2007-11-01_173136.46.zip 2007-11-01 17:29 10878 --a------ C:\Qoobox\Quarantine\C\check_LSA7.txt.vir Zmienna PATH folderu Numer seryjny woluminu: D4AB-1BD0 C:\QOOBOX\QUARANTINE | catchme.log | catchme2007-11-01_173136.46.zip | ±–C | | check_LSA7.txt.vir | | secure32.html.vir | | | ±–Documents and Settings | | —user | | ±–Dane aplikacji | | | Install.dat.vir | | | | | —Menu Start | | —Programy | | —Outerinfo | | Terms.lnk.vir | | Uninstall.lnk.vir | | | ±–Program Files | | ±–Common Files | | | Yazzle1461OinUninstaller.exe.vir | | | | | ±–FunWebProducts | | | —ScreenSaver | | | —Images | | | 0019A6B6.urr.vir | | | | | ±–Internet Explorer | | | IEKey.dll.vir | | | | | ±–MyWebSearch | | | —bar | | | ±–1.bin | | | | F3BKGERR.JPG.vir | | | | F3BROVLY.DLL.vir | | | | F3DTACTL.DLL.vir | | | | F3HTMLMU.DLL.vir | | | | F3IMSTUB.DLL.vir | | | | F3POPSWT.DLL.vir | | | | F3REPROX.DLL.vir | | | | F3SHLLVW.DLL.vir | | | | F3SPACER.WMV.vir | | | | F3WALLPP.DAT.vir | | | | M3FFXTBR.JAR.vir | | | | M3FFXTBR.MANIFEST.vir | | | | M3IDLE.DLL.vir | | | | M3IMPIPE.EXE.vir | | | | M3MSG.DLL.vir | | | | M3NTSTBR.JAR.vir | | | | M3NTSTBR.MANIFEST.vir | | | | M3PLUGIN.DLL.vir | | | | M3SKIN.DLL.vir | | | | M3SLSRCH.EXE.vir | | | | M3SRCHMN.EXE.vir | | | | MWSOEPLG.DLL.vir | | | | NPMYWEBS.DLL.vir | | | | | | | ±–Avatar | | | | COMMON.F3S.vir | | | | | | | ±–Cache | | | | 00046FDD.vir | | | | 02547FEB.vir | | | | files.ini.vir | | | | | | | ±–Game | | | | CHECKERS.F3S.vir | | | | CHESS.F3S.vir | | | | REVERSI.F3S.vir | | | | | | | ±–Notifier | | | | COMMON.F3S.vir | | | | DOG.F3S.vir | | | | FISH.F3S.vir | | | | KUNGFU.F3S.vir | | | | LIFEGARD.F3S.vir | | | | MAID.F3S.vir | | | | MAILBOX.F3S.vir | | | | OPERA.F3S.vir | | | | ROBOT.F3S.vir | | | | SEDUCT.F3S.vir | | | | SURFER.F3S.vir | | | | | | | ±–Search | | | | COMMON.F3S.vir | | | | | | | —Settings | | | s_pid.dat.vir | | | | | ±–MyWebSearch.vir | | | —bar | | | —1.bin | | —Outerinfo | | outerinfo.ico.vir | | Terms.rtf.vir | | | —WINDOWS | | cookies.ini.vir | | HOSTS.vir | | | —system32 | bkumcmvw.ini.vir | jkklk.dll.vir | klkkj.bak1.vir | klkkj.bak2.vir | klkkj.ini.vir | lvbkbbrm.dll.vir | mrbbkbvl.ini.vir | oosryabu.dll.vir | psknqsov.dll.vir | ubayrsoo.ini.vir | urqomlk.dll.vir | vosqnksp.ini.vir | wvmcmukb.dll.vir | —Registry_backups

jessica · 1 Listopad 2007 17:54

Wklej do Notatnika :

File::

C:\WINDOWS\svd.exe

E:\ie.exe


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{281dbba8-4745-11dc-b9d0-4d6564696130}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5de1392a-5c35-11db-86a8-4d6564696130}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c64beea4-c834-11db-b8d3-4d6564696130}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c64beea7-c834-11db-b8d3-4d6564696130}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sair"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Tfasn"=-

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Daj ten log do kontroli.

jessi

mateusheck · 1 Listopad 2007 18:14

log po operacji:

ComboFix 07-11-01.1** - user 2007-11-01 19:04:16.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.116 [GMT 1:00] Running from: C:\Documents and Settings\user\Pulpit\ComboFix.exe Command switches used :: C:\Documents and Settings\user\Pulpit\CFScript.txt * Created a new restore point FILE:: C:\WINDOWS\svd.exe E:\ie.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\svd.exe . ((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 ))))))))))))))))))))))))))))))) . 2007-11-01 17:13 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-01 16:29 2007-11-01 16:29 2007-11-01 15:50 2007-11-01 12:59 2007-11-01 12:59 2007-11-01 12:59 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-11-01 12:33 2007-11-01 12:33 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-01 17:10 --------- d-----w C:\Program Files\Java 2007-09-24 22:14 --------- d-----w C:\Program Files\DOSBox-0.72 2007-09-19 17:54 --------- d-----w C:\Program Files\eMule 2007-09-18 12:33 --------- d-----w C:\Program Files\PokerStars 2007-09-18 12:09 --------- d-----w C:\Program Files\Tank Universal demo 2007-09-17 12:02 --------- d-----w C:\Program Files\Electronic Arts 2007-09-16 12:22 --------- d-----w C:\Program Files\Common Files\Error Report 2007-09-15 16:18 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-09-15 16:17 --------- d-----w C:\Program Files\LucasArts 2007-09-14 13:56 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll 2007-09-14 13:56 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll 2007-09-14 13:56 --------- d-----w C:\Program Files\OpenAL 2007-09-14 13:56 --------- d-----w C:\Program Files\Infinite Interactive 2007-09-09 08:54 --------- d-----w C:\Program Files\JoWooD 2007-09-09 08:53 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\InstallShield 2007-09-07 15:22 --------- d-----w C:\Program Files\Techland 2007-09-02 12:21 --------- d-----w C:\Program Files\Microsoft Games 2007-09-01 11:01 --------- d-----w C:\Documents and Settings\user\Dane aplikacji\ArcaBit 2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-06-10 12:33 3,872 ----a-w C:\Documents and Settings\user\Dane aplikacji\ViewerApp.dat 2006-12-30 17:58 40 ----a-w C:\Documents and Settings\user\language.dat . ((((((((((((((((((((((((((((( snapshot@2007-11-01_17.33.12.12 ))))))))))))))))))))))))))))))))))))))))) . - 2007-07-30 13:12:45 135,168 ----a-w C:\WINDOWS\system32\java.exe + 2007-09-24 21:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe - 2007-07-30 13:12:45 135,168 ----a-w C:\WINDOWS\system32\javaw.exe + 2007-09-24 21:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe - 2007-07-30 13:12:45 139,264 ----a-w C:\WINDOWS\system32\javaws.exe + 2007-09-24 22:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Skrót do strony właściwości High Definition Audio”=“HDAudPropShortcut.exe” [2004-03-17 15:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe] “Cmaudio”=“cmicnfg.cpl” [] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2005-06-28 20:05] “Easy-PrintToolBox”=“C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe” [2004-01-14 03:10] “BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 13:00 C:\WINDOWS\system32\bthprops.cpl] “atwtusb”=“atwtusb.exe” [2005-09-21 17:08 C:\WINDOWS\system32\ATWTUSB.EXE] “Sony Ericsson PC Suite”=“C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” [2005-10-26 16:17] “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-03-30 13:40] “DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” [2006-09-14 21:09] “QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-04-27 08:41] “ABRegmon”=“C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe” [2007-07-12 09:40] “AvMenu”=“C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe” [2007-10-22 14:51] “ArcaCheck”=“C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe” [2007-07-27 12:57] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2006-06-09 01:17] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50] “iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2007-06-01 15:51] “ATICCC”=“C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2005-06-29 00:09] “!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 10:25] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 13:00] “H/PC Connection Agent”=“C:\Program Files\Microsoft ActiveSync\wcescomm.exe” [2005-11-15 19:44] “CTSyncU.exe”=“C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe” [2006-08-07 10:06] “NBJ”=“C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” [2004-09-22 15:10] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-05-10 15:36] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 13:44:06] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TS_LogonListener] TS_LogonListener.dll 2007-01-12 15:41 101376 C:\WINDOWS\system32\TS_LogonListener.dll R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys R1 ABTDI;ABTDI;??\C:\Program Files\ArcaBit\ArcaVir\ABTDI.sys R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys R2 ABFileMon;ArcaBit FileMonitor;“C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe” R2 ArcaBit.TaskScheduler;ArcaBit.TaskScheduler;“C:\Program Files\ArcaBit\Common\TaskScheduler.exe” R2 AVUpdate;ArcaBit Update Service;C:\Program Files\ArcaBit\ArcaUpdate\update.exe R3 ABFLT;ArcaBit File Monitor Driver;??\C:\PROGRA~1\ArcaBit\ArcaVir\ABFLT.sys R3 ArcaBit.Core.Configurator;ArcaBit.Core.Configurator;“C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe” R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys S3 ArcaBit.Core.LoggingService;ArcaBit.Core.LoggingService;“C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe” . Contents of the ‘Scheduled Tasks’ folder “2007-06-22 07:45:47 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job” - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-01 19:07:58 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-01 19:08:46 C:\ComboFix2.txt … 2007-11-01 17:34 . — E O F —

jessica · 1 Listopad 2007 18:18

Wg mnie - jest czysto.

jessi

mateusheck · 1 Listopad 2007 20:23

Jest już lepiej.

Dzięki wielkie Jessi

spróbuje porobić dalsze porządki i optymalizacje.

POZDRAWIAM